ABSTRACT
Security-sensitive workflows impose constraints on the control-flow and authorization policies that may lead to unsatisfiable instances. In these cases, it is still possible to find "least bad" executions where costs associated to authorization violations are minimized, solving the so-called Multi-Objective Workflow Satisfiability Problem (MO-WSP). The MO-WSP is inspired by the Valued WSP and its generalization, the Bi-Objective WSP, but our work considers quantitative solutions to the WSP without abstracting control-flow constraints. In this paper, we define variations of the MO-WSP and solve them using bounded model checking and optimization modulo theories solving. We validate our solutions on real-world workflows and show their scalability on synthetic instances.
- M. Abadi. Logic in Access Control (Tutorial Notes). Springer, 2009.Google ScholarDigital Library
- A. Adriansyah, B. van Dongen, and N. Zannone. Controlling break-the-glass through alignment. ASE Science Journal, 2(4):198--212, 2013.Google Scholar
- A. Armando and S.E. Ponta. Model checking of security-sensitive business processes. In Proc. of FAST, 2009. Google ScholarDigital Library
- D. Basin, S.J. Burri, and G. Karjoth. Optimal workflow-aware authorizations. In Proc. of SACMAT, 2012. Google ScholarDigital Library
- E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. TISSEC, 2(1):65--104, 1999. Google ScholarDigital Library
- C. Bertolissi, D.R. dos Santos, and S. Ranise. Automated synthesis of run-time monitors to enforce authorization policies in business processes. In Proc. of ASIACCS, 2015. Google ScholarDigital Library
- A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checking without bdds. In Proc. of TACAS, 1999. Google ScholarDigital Library
- N. Bjørner, A. Phan, and L. Fleckenstein. (ν)z - an optimizing SMT solver. In Proc. of TACAS, 2015. Google ScholarDigital Library
- L. Compagna, D.R. dos Santos, S.E. Ponta, and S. Ranise. Cerberus: Automated synthesis of enforcement mechanisms for security-sensitive business processes. In Proc. of TACAS, 2016. Google ScholarDigital Library
- J. Crampton. A reference monitor for workflow systems with constrained task execution. In Proc. of SACMAT, 2005. Google ScholarDigital Library
- J. Crampton and G. Gutin. Constraint expressions and workflow satisfiability. In Proc. of SACMAT, 2013. Google ScholarDigital Library
- J. Crampton, G. Gutin, and D. Karapetyan. Valued workflow satisfiability problem. In Proc. of SACMAT, 2015. Google ScholarDigital Library
- J. Crampton, G. Gutin, D. Karapetyan, and R. Watrigant. The bi-objective workflow satisfiability problem and workflow resiliency. JCS, 25(1):83--115, 2017.Google ScholarCross Ref
- J. Crampton, G. Gutin, and R. Watrigant. On the satisfiability of workflows with release points. In Proc. of SACMAT, 2017. Google ScholarDigital Library
- J. Crampton, G. Gutin, and A. Yeo. On the parameterized complexity of the workflow satisfiability problem. In Proc. of CCS, 2012. Google ScholarDigital Library
- J. Desel and W. Reisig. Place or transition petri nets. In Lectures on Petri Nets I: Basic Models, Advances in Petri Nets. Springer, 1996. Google ScholarDigital Library
- The Sage Developers. SageMath, the Sage Mathematics Software System, 2017. http://www.sagemath.org.Google Scholar
- R.M. Dijkman, M. Dumas, and C. Ouyang. Semantics and analysis of business process models in bpmn. Inf. and Soft. Tech., 50(12):1281 -- 1294, 2008. Google ScholarDigital Library
- D.R. dos Santos and S. Ranise. On run-time enforcement of authorization constraints in security-sensitive business processes. In Proc. of SEFM, 2017.Google Scholar
- D.R. dos Santos and S. Ranise. A survey on workflow satisfiability, resiliency, and related problems. CoRR, abs/1706.07205, 2017.Google Scholar
- D.R. dos Santos, S. Ranise, L. Compagna, and S. E. Ponta. Assisting the Deployment of Security-Sensitive Workflows by Finding Execution Scenarios. In Proc. of DBSec, 2015.Google ScholarCross Ref
- J. Dubrovin, T.A. Junttila, and K. Heljanko. Exploiting step semantics for efficient bounded model checking of asynchronous systems. Sci. Comput. Program., 77(10--11):1095--1121, 2012. Google ScholarDigital Library
- H.B. Enderton. A Mathematical Introduction to Logic. Academic Press, New York-London, 1972.Google Scholar
- V.K. Garg. Maximal antichain lattice algorithms for distributed computations. In Proc. of ICDCN, 2013.Google ScholarCross Ref
- M. Gario and A. Micheli. pysmt: a solver-agnostic library for fast prototyping of smt-based algorithms. In SMT Workshop, 2015.Google Scholar
- J. Holderer, R. Accorsi, and G. Müller. When four-eyes become too much: a survey on the interplay of authorization constraints and workflow resilience. In Proc. of SAC, 2015. Google ScholarDigital Library
- D. Karapetyan, A. J. Parkes, G. Gutin, and A. Gagarin. Pattern-based approach to the workflow satisfiability problem with user-independent constraints. CoRR, abs/1604.05636, 2016.Google Scholar
- M. Leitner and S. Rinderle-Ma. A systematic review on security in process-aware information systems--constitution, challenges, and future directions. Inf. and Soft. Tech., 56(3):273--293, 2014. Google ScholarDigital Library
- J.C. Mace, C. Morisset, and A. Moorsel. Quantitative workflow resiliency. In Proc. of ESORICS, 2014.Google ScholarCross Ref
- R.T. Marler and J.S. Arora. Survey of multi-objective optimization methods for engineering. Structural and Multidisciplinary Optimization, 26(6):369--395, 2004.Google ScholarCross Ref
- A. Roy, S. Sural, A.K. Majumdar, J. Vaidya, and V. Atluri. Minimizing organizational user requirement while meeting security constraints. ACM Trans. Manage. Inf. Syst., 6(3):12:1--12:25, 2015. Google ScholarDigital Library
- R. Sebastiani and P. Trentin. OptiMathSAT: A Tool for Optimization Modulo Theories. In Proc. of CAV, 2015.Google ScholarCross Ref
- W.M.P. van der Aalst, A.H.M. ter Hofstede, B. Kiepuszewski, and A.P. Barros. Workflow patterns. Distributed Parallel Databases, 14(1):5--51, 2003. Google ScholarDigital Library
- Q. Wang and N. Li. Satisfiability and resiliency in workflow authorization systems. TISSEC, 13, 2010. Google ScholarDigital Library
- M. Weske. Business Process Management: Concepts, Languages, Architectures. Springer, Secaucus, NJ, USA, 2007. Google ScholarDigital Library
Index Terms
- Solving Multi-Objective Workflow Satisfiability Problems with Optimization Modulo Theories Techniques
Recommendations
Constraint Branching in Workflow Satisfiability Problem
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesThere has been a considerable interest in recent years in the problem of workflow satisfiability which seeks an allocation of authorised users to every step of the workflow, subject to workflow specification constraints. Unfortunately, the workflow ...
Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T)
We first introduce Abstract DPLL, a rule-based formulation of the Davis--Putnam--Logemann--Loveland (DPLL) procedure for propositional satisfiability. This abstract framework allows one to cleanly express practical DPLL algorithms and to formally reason ...
Solving constraint satisfaction problems with SAT modulo theories
Due to significant advances in SAT technology in the last years, its use for solving constraint satisfaction problems has been gaining wide acceptance. Solvers for satisfiability modulo theories (SMT) generalize SAT solving by adding the ability to ...
Comments